A NetApp test, aclfunc.exe seems to think that DACLs with unneeded zeros should not be resized

Tue Apr 3 16:05:41 MDT 2012

Richard

There are applications in the enterprise space that abuses the ACL and
stores binary data inside an ACE.

I.e.  storing things that are not the usual mask/sid thing at all but
just pure applicationspecific binjary data.

Sometimes seen in enterprise class backup and ilm applications.

This is from the patch to wireshark when I had to add this to stop
these "not-an-ACE-at-all-really" from segv wireshark.
Wireshark naively assumed everything in the ACL was a genuine ACE and
got "surprised" :-)

sahlberg at sahlberg-laptop:/shared/tmp$ cat  naugthy-ace.txt
------------------------------------------------------------------------
r16881 | sahlberg | 2005-12-22 19:51:50 +1100 (Thu, 22 Dec 2005) | 10 lines

some ACEs are not used for authorization and thus do NOT contain an
access mask and a SID.

make the dissection of the ACL check the type for each individual ACE
and only dissect  as access mask and sid  those ACEs we know how to
handle.

this prevents ethereal from dumping on w32 if we encounter any of
these "special" ACE entries,   such as the ones used for storing
location data for offline files.

...
+	
+	/* some ACE types we not yet handle store other things than access mask
+	 * and SID in here.
+	 * sometimes things that are not related at all to access control.
+	 *    naughty naughty.    -- ronnie
+	 */
+	switch(type){
+	case ACE_TYPE_ACCESS_ALLOWED:
+	case ACE_TYPE_ACCESS_DENIED:
+	case ACE_TYPE_SYSTEM_AUDIT:
+	case ACE_TYPE_SYSTEM_ALARM:
...

Guess you dont encounter these apps all that often.
Since you can store up to 64kb of binary data there in each one, that
is quite a lot of space to hide things.

regards
ronnie sahlberg

On Wed, Apr 4, 2012 at 6:14 AM, Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
> Hi,
>
> One of our QA staff is using a NetApp Windows app called aclfunc.exe.
>
> One of those the tests, the Resize ACL Test fails when run against
> Samba (3.5.12+).
>
> What this precious little test does is to read the DACL from a
> directory, pad it out to around 1000 bytes with zeros (the size field
> in the DACL becomes 1000 or 1004) and then write it back to the
> directory. It subsequently reads the DACL back, and if it is not the
> correct, padded size, it declares the test as failed.
>
> So, does it matter? Is there anything in Windows which says that you
> must store exactly the DACL that you were handed? Why would that be
> needed?
>
> --
> Regards,
> Richard Sharpe
> (何以解憂？唯有杜康。--曹操)